Pages

Host Intrusion Prevention System (HIPS) Explained

HIPS ExplainedThis is my attempt to clarify what a HIPS is, what it does and how best to incorporate a HIPS program into your security protection.

What does "HIPS" mean anyway?It stands for Host Intrusion Prevention System. In essence it's a program that alerts the user to a malware program such as a virus that may be trying to run on the user's computer, or that an unauthorized user such as a hacker may have gained access to the user's computer.

Background and historyA few years ago it was relatively easy to classify malicious programs. A virus was a virus and other things were, well – different! Nowadays “bugs” have changed and the defining lines between them have become more blurred. Not only do we have added threats from trojans, worms and rootkits but the different malicious products are often combined together. This is why malicious programs are now often referred to collectively as “malware”, and the applications produced to fight them “broad spectrum”.

In the past detection software relied primarily on identifying malware by their signatures. This method, although reliable, is only as good as the frequency of the updates. There's an added complication in that much of the malware circulating is constantly mutating and changing its form. In the process it changes its signature. To combat this HIPS programs were developed, which add the ability to “recognize” possible malware by its actions rather than signature. These "actions" could be attempts to control another application, run a Windows service or change a registry entry.

It's a bit similar to detecting a criminal by his behavior rather than by his fingerprint. If he acts like a thief he probably is thief. Similarly a computer program that acts like a malicious program probably is a malicious program.

The problem here is that sometimes perfectly legitimate programs may act a little suspiciously and this may lead to a HIPS falsely labeling the legitimate program as malware. These so called "false positives" are a real problem for HIPS programs (see also How to Report Malware or False Positives).That's why the best HIPS programs are those which use a combination of signature and behavioral techniques. But more on this later.

What does a HIPS program actually do?In general terms a HIPS program seeks to retain the integrity of the system in which it is installed by preventing changes to that system from unauthorized sources. Normally it does this by generating a security popup alert asking the user whether any change should be authorized.

This system is only as good as the responses of the user to the popup alert. Even if the HIPS software correctly identifies a threat, the user may inadvertently approve the wrong action and the PC could still become infected.

It is also possible for legitimate actions to be misconstrued as malicious behavior. These so called "false positives" are a real problem for HIPS products, though thankfully they are becoming less common as HIPS programs become more sophisticated.

The positive side to this is that you can use some HIPS programs to control the access rights of legitimate applications, although this would only be advisable for experienced users. I will explain this and why you might want to use it in greater detail later. Another way of looking at HIPS is to imagine it as a firewall to control applications and services instead of just Internet access.

Defining typeModern malware has become so sophisticated that security protection programs can no longer rely just on signature -based detection alone for protection. Now many applications use a combination of different techniques to identify and block malware threats. As a result several different kinds of security products now employ HIPS. Today it is not uncommon to find a HIPS in an anti-virus program or in an anti-spyware program, though by far the most common application of HIPS is as part of a firewall. Indeed most modern firewalls have now added HIPS protection elements to their IP filtering capabilities.

HIPS programs use a variety of detection methods to increase efficiency. In addition to signature recognition HIPS programs also watch for “behavior consistent with the activities of malware”. What this means is they seek to identify actions or events known to be typical of malware activity.

Some behavioral analysis programs are more automated than others and although this may seem like a good idea, in practice it can lead to complications. Occasionally circumstances may combine to indicate that the quite legitimate action of an application is suspicious and cause it to be terminated. You may not even be aware of this until things stop working! This is safe enough and merely an annoyance so long as the process is reversible, but occasionally it leads to possible system instabilities. Although such events are rare their impact can be severe, so consideration of this is advisable when making a choice.

Set-up and configurationHIPS programs should be installed with their default settings and run like this until they have either finished whatever training period is required, or you become familiar with their operation. You can always adjust sensitivity levels and add extra rules if you feel this is necessary later. Applications with default “training periods” are designed that way for a reason. Although it might be tempting to reduce the term of training, you could be reducing the efficiency as well. A PDF guide is usually produced by the makers and it's always a good idea to read this before installing.

Earlier I mentioned the potential for using your hips program to control legitimate application use too. We do this already with our firewalls by restricting port use. You can use a HIPS program in a similar manner to block or restrict access to system components and services. In general, the tighter you tie Windows down the safer it becomes. I read somewhere that safest Windows system is called Linux! ... But that's another issue! Sometimes legitimate programs will set a level of system access on install that is far in excess of what they actually need to perform their normal functions. Restricting applications to "read access” to your hard drive when they don't need a default “write access” as well is one way to reduce risk. You can use the DEFENSE+ settings of Comodo's CIS to achieve this as one example.

When a potential threat is identifiedMost HIPS programs notify users of potential threats using interactive popups when an event is triggered. Some programs automate this process and then tell you about it afterwards (maybe!). The important factor is not to become “automated” yourself when responding. There's no real point in having any security applications if you blindly click “yes” to everything. Just a few seconds thought before making a decision can save hours of work later on (not to mention loss of data). If a notification turns out to be a “false positive” you can sometimes record this as an “exception” to prevent future alerts. It is also advisable to notify the makers about false positives so that they can fix these in later versions.

What if you're not sure?Figures vary according to which you read but up to 90% of all malware infections come from the Internet, so most of the time you will be online when a security popup appears. The advised action is to block the event and Google for information about the file(s) identified. The location of a recorded threat can be just as important as the file name. Also, “Ispy.exe” may be legitimate but “ispy.exe” could be malware. A 'HijackThis' log posting might help but results from the automated service can be a little ambiguous. In general you should do little damage by blocking or quarantining an event until you are sure what to do with it. It is only by deleting things before being sure that could possibly lead to disastrous results!

How reliable are community advisories?The trend now is to include community based advisory content in popups. These systems try to help you respond accurately to security popups by telling you how others have responded.

In sounds an attractive idea in theory but in practice the results may be disappointing. For example, if only 10 people have seen a particular warning previously and nine of them made the wrong choice, then when you see a 90% recommendation to block the program you will follow suit! I refer to this as “sheep syndrome”. As user numbers increase then so should the reliability of the advisories but this might not always be the case so some caution is needed. You can always Google for a second opinion.

Multiple protector or “layered approach”?A few years ago the use of all-in-one security suites did not offer performance levels comparable to using several individual security applications to achieve a “layered” protection. Recently though vendors have invested heavily in suite development and this is now reflected in their results. Some though still contain at least one weak component and if this happens to be the firewall you might want to make another choice. The general consensus is that a combination of separate elements will still give higher performance and better overall reliability. What they do most of course is offer greater choice and flexibility. Comodo was the first major suite to be truly free, but now Outpost and ZoneAlarm also have freeware suites. All of these offer a serious alternative to paid software.

RecommendationsA car is only as good as its driver and the same applies to software. There is no such thing as a “set-and-forget” security program. Try to pick something that you can understand and are happy to use. It's like comparing Sunbelt-Kerio and Comodo firewalls. Yes, if you want to nail things to the ground Comodo has the potential to give better protection, but it's also more difficult to understand. If you find Kerio easier to work with then you are more likely use it effectively and ultimately this would be the better choice (up to Windows XP only. Windows 7 users check out TinyWall) Use the various test results as a guide, but only that. No test can ever duplicate your computer, your programs and your surfing habits.

Selection criteriaI have always selected my own applications in the following order. You of course may think differently!

Do I need it?Many people argue the “usefulness” of some software when balanced against what it is likely to achieve. If your firewall already has a good HIPS component (like Comodo, Privatefirewall or Online Armor) then maybe this is enough. Programs like Malware Defender however do use different techniques so could offer complimentary protection in some circumstances. Only you can decide if you think this is necessary. Experts still advise not running more than one security software of the same type.

Can I use it?Adding any HIPS program will generate more work in terms of configuration requirements and alert management. HIPS programs in general can be somewhat ambiguous with what they find so you should be prepared to confirm their findings. With only average knowledge you might find it a challenge to interpret the results.

Does it work?HIPS techniques are only effective where the user responds appropriately to security popups generated by the HIPS. Beginners and apathetic users are unlikely to be able to make such responses.

For diligent and experienced users there is a place for HIPS programs in PC security as HIPS adopt a different approach to traditional signature based software. Used either as a standalone or combined with a firewall, HIPS will add to your detection abilities.

Will it mess up my system?Security programs by their very nature have to invade the inner sanctum of your PC to be effective. If you already have a registry like a plate of spaghetti, “ghost folders” in your program files, get “blue screens”, Windows error messages and un-requested pages of Internet Explorer opening then adding a HIPS program is only going to make things worse. Even on a clean machine, making a wrong decision could lead to permanent instability. Potentially though, you can do similar damage with a registry cleaner.

Can I use more than one?I see no advantage in using two HIPS programs together. Experts still advise not running more than one active security software of the same type. The risk of conflict outweighs any possible benefits.

ConclusionUsers should maybe consider improving their browser security first by replacing IE with Chrome, Firefox or Opera and using a sandbox before thinking HIPS. People with a standard firewall could introduce Malware Defender for additional protection. Users of CIS or Online Armor would gain no advantage from doing so. System load and resource use are a consideration, although mainly for older machines. There really is no definitive solution other than to say that too many of anything is usually too much! All in all it's about striking a balance. The biggest threat to my computer will always be me!